QUESTION: We have an applicant for medical staff appointment who disclosed that he was under probation for a time during his residency. Despite our requests, he has refused to provide any additional information related to this matter. He also has declined to sign an authorization that would allow us to talk freely with his program director.
We have language in our Medical Staff Credentials Policy stating that the burden is on the applicant to provide any information requested, or his or her application will be held as incomplete. Is this a situation where we can rely on this provision?
ANSWER: Most definitely. When it comes to enforcing such a provision, the law is on your side. Courts from jurisdictions across the country have held that a hospital can refuse to process an application that is incomplete. For example, an Illinois appeals court, in a case with facts very similar to the situation described above, held that an applicant must
“provid[e] all information deemed necessary by the hospital…as a condition precedent to the hospital’s obligation to process the application.”
Similarly, an appeals court in Tennessee ruled in favor of the hospital in a case where a physician up for reappointment refused to release information on pending malpractice claims. In that case, the court found that that application for medical staff membership clearly required the physician to assist in providing the information necessary to determine his qualifications.
Of course, having good language in your Medical Staff documents (and on your application form) that makes it clear that the burden to provide information is on the applicant – and that an incomplete application will not be processed – is key. Since you stated that you have this language in place, you can feel confident in holding this application as incomplete until the applicant meets his burden of providing the information you need.
QUESTION: We received a HIPAA authorization form via e-mail, requesting a copy of the patient’s medical record for life insurance verification purposes. There is no signature on the form – just a typewritten name and some information regarding when the electronic signature occurred. Does this type of signature satisfy HIPAA’s requirement that authorization forms be “signed” by the patient?
ANSWER: Yes. The Health Insurance Portability and Accountability Act (“HIPAA”) does not require the signature on an authorization form to be physically placed there by the patient, signing with a pen. Rather, so long as the applicable state (the state where the patient is located and/or the state where the hospital is located) recognizes an electronic signature as legally binding and valid, it is fine for the authorization form to be signed electronically. In our experience, most states recognize electronic signatures as valid equivalents to signatures, for most purposes. But, you should check with counsel and have them research the applicable state law, to be sure.
Note the following FAQ from the Department of Health and Human Services Office of Civil Rights’ web page at http://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/:
How do HIPAA authorizations apply to an electronic health information exchange environment?
The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule. For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions. Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange. However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required. In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization. Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.